last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass - Allow "Preapproved" Devices

  • 1.  ClearPass - Allow "Preapproved" Devices

    Posted Sep 26, 2018 04:15 PM

    Hi everyone,


    I'm a bit new to clearpass.  I have managed to get authentication to happen pretty easily from AD credentials, but the enforecement is giving me some problems.  We have a mix of Windows (AD joined), Chromebooks, and iPads that we would like to allow access to our main network, but deny all other users.  These are essentially "trusted devices".


    Since we are not doing just Windows devices, I cannot enforce machine authentication.  I have added the Google Admin Console as an "endpoint repository".  I've tried enforcing a rule of dropping all by default and allowing devices in the "known" endpoint repository.  That has resulted in all devices being denied.


    Could someone point me in the right direction for how I should think about allowing these devices?


    Thanks in advance!

  • 2.  RE: ClearPass - Allow "Preapproved" Devices

    Posted Sep 26, 2018 04:22 PM

    What EAP methods are in use? Strong credentials should attest to device authorization.

  • 3.  RE: ClearPass - Allow "Preapproved" Devices

    Posted Sep 26, 2018 04:30 PM

    Thanks for the quick reply.  We are using PEAP MSCHAPv2 because the chromebooks and iOS devices do not support device authentication.  All of our devices, with the exception of the iOS devices, automatically pass the usernames and passwords to make it seamless.

  • 4.  RE: ClearPass - Allow "Preapproved" Devices

    Posted Sep 26, 2018 04:37 PM
    Both platforms support device certificates.

  • 5.  RE: ClearPass - Allow "Preapproved" Devices

    Posted Sep 26, 2018 04:48 PM

    All of the research that I have seen shows that device certificates are not feasible on Chrome Devices because they require a special onboarding network and our students to go through a special process.  Are you aware of an automatic way of provisioning these certificates on the devices with no user intervention, but still allowing for username credentials to be passed to the controller for accounting purposes?


    I should probably also note that we would eventually like to use the same VLAN for BYOD devices but with firewall rules on the aruba controller to limit access.  I apologize for moving the goalposts.